[olug] NAT - netfilter or routing

Daniel G. Linder dlinder at iprevolution.com
Fri Apr 4 21:45:46 UTC 2003 

David Walker [mailto:linux_user at grax.com] wrote:
> does anyone know of a way to do one to one nat for a range without 
> individually specifying each single mapping?
> 
> i.e.  10.1.2.0/24 gets natted to 192.168.2.0/24 with 
> ...
> 10.1.2.3 = 192.168.2.3
> ...
> 10.1.2.232 = 192.168.2.232
> etc.

>From my reading on the SNAT/DNAT stuff, it will do it "randomly"
(probably for load balancing and/or outbound NAT gateways) so I had to
write a simple script to call the iptables command 256 times... :(  That
was Ok though, because I wanted a different LOG line based on the IP
address anyway.  :)

BTW, initial testing of my "NAT Box From Hades" looks pretty promising.
Scenario: We have customers we need to cutover from one range of IP
addresses to another in a transparent fashion.  They don't want the
down-time associated with DNS propagation delays and coordinating DNS
changes amongst their customers so....  Enter Linux as the saviour
again!

I have setup our outside routers that route the "old" IP addresses to
this NAT box, and the "new" IP addresses to the customer equipment.  The
NAT box does a source and destination mapping using DNAT to change
"old.ip.address.XXX" to "new.ip.address.XXX".  Here is the basic script:

In this sample, I want to map all 12.34.56.X/24 to 78.90.10.X/24 on a
1-to-1 basis.

1: NAT the source address...  (This way the packets come back to this
machine (12.12.12.12) to get un-NAT'ed.
iptables -t nat -A POSTROUTING -d 12.34.56.0/24 -j SNAT --to-source
12.12.12.12

2: NAT the destination address...
for ($x=0; $x<=255; $x++) {
  # Log the hits...
  `/sbin/iptables -A INPUT -i eth0 -d 12.34.56.$x -j LOG -m limit
--limit 1/day --limit-burst 1 --log-prefix 'OLD:12.34.56.$x :'`;
  # Re-write the hit packets to GO where they need to go...
  `/sbin/iptables -t nat -A PREROUTING -i eth0 -d 12.34.56.$x -j DNAT
--to-destination 78.90.10.$x`;
}

3: Make sure we know where to send the "new" packets for 78.90.10.X/24.
(The appropriate gateway is 12.12.12.1)
/sbin/route add -net 78.90.10.0 netmask 255.255.255.0 12.12.12.1

Hope this helps someone in the future.

Dan

More information about the OLUG mailing list